Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keyless verification with Bring Your Own Public Key Infrastructure (BYOPKI) #3699

Closed
saschagrunert opened this issue May 16, 2024 · 2 comments
Closed

Keyless verification with Bring Your Own Public Key Infrastructure (BYOPKI) #3699

saschagrunert opened this issue May 16, 2024 · 2 comments
Labels
question Further information is requested

Comments

@saschagrunert
Copy link
Contributor

saschagrunert commented May 16, 2024
edited

Question

Hey folks, I'm working on a BYOPKI verification example in: https://github.com/saschagrunert/byopki/blob/main/run

It does:

  1. Generate a CA, intermediate CA and leaf certificate using cfssl:
    https://github.com/saschagrunert/byopki/blob/ad923ea/run#L23-L164
  2. Start a container registry and build+push a demo image:
    https://github.com/saschagrunert/byopki/blob/ad923ea/run#L166-L174
  3. Use cosign generate and cosign attach to sign the image:
    https://github.com/saschagrunert/byopki/blob/ad923ea/run#L178-L189
  4. Verify the image using cosign verify … --key, which works:
    https://github.com/saschagrunert/byopki/blob/ad923ea/run#L191-L195
  5. Attempts a keyless verification using `cosign verify … --cert-chain, which fails:
    https://github.com/saschagrunert/byopki/blob/ad923ea/run#L197-L203

With:

> Verify signature keyless
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Error: no matching signatures: cert verification failed: x509: certificate specifies an incompatible key usage. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE
main.go:69: error during command execution: no matching signatures: cert verification failed: x509: certificate specifies an incompatible key usage. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE

Setting SIGSTORE_ROOT_FILE to the CA or full chain does not help either. Am I missing something?

I'm using cosign v2.2.4 right now.
@saschagrunert saschagrunert added the question Further information is requested label May 16, 2024
@haydentherapper
Copy link
Contributor

You've specified no extended key usages using cfssl, it should be "code signing" for the leaf certificate. Ref:

cosign/pkg/cosign/verify.go

Line 1340 in 1211157

x509.ExtKeyUsageCodeSigning,

Your key usages are also overspecified, the root only needs "cert sign" (and possibly "crl sign" if you're issuing CRLs), same with the intermediate. The intermediate also must specify "code signing" per EKU chaining.

@saschagrunert
Copy link
Contributor Author

We have this tutorial which outlines how it can be done: https://linuxera.org/signing-verifying-container-images-with-cosign-own-pki/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@saschagrunert @haydentherapper